Known issues
The following issues have been identified in FortiGate-6000 and FortiGate-7000 FortiOS 6.4.8 Build 1823. For inquires about a particular bug, please contact Customer Service & Support. The Known issues described in the FortiOS 6.4.8 release notes also apply to FortiGate-6000 and 7000 FortiOS 6.4.8 Build 1823.
Bug ID |
Description |
---|---|
653092 |
You cannot use the SLBC management interface IP address to manage a FortiGate-6000 or 7000 by connecting to a data interface. |
674979 |
The GUI incorrectly shows more traffic on FortiGate-6000 HA interfaces than what is actually occurring. |
682426 | Traffic log messages are only transmitted through a dedicated HA management interface when ha-direct is enabled. |
715541 |
FortiGate-7000E platforms do not support using a LAG for FGSP session synchronization. |
724543 |
Outbound bandwidth traffic statistics are showing incorrectly on individual FIM and FPM GUI pages. |
734898 |
Under some conditions when a FortiGate-6000 or 7000 is very busy, when making configuration changes either manually or using a script, the |
752402 | In some cases traffic may be blocked from passing through a FortiGate-7000F because FortiOS assigned an incorrect MAC address to a VLAN interface. This problem may resolve itself after the system has been operating for a few minutes. Restarting the FortiGate-7000F will also resolve the problem. |
767742 | Because of a limitation of the FIM-7921F switch hardware, the FortiGate-7121F with FIM-7921Fs does not support adding VLANs to flow rules. The vlan setting of the config load-balance flow-rule command is ignored. |
771680 |
Configuring SSL VPN Web portals from the GUI does not work correctly. Configuring SSL VPN Web portals from the CLI does work as expected. |
773766 | The fnbamd and radiusd processes may crash when the FortiGate-6000 or 7000 is managing large numbers of single sign on users. |
777415 | In a FortiGate-6000 or 7000 FGCP HA configuration, dynamic addresses received by an SDN connector may not be synchronized to the secondary FortiGte-6000 or 7000 in the cluster. |
778239 |
For all FortiGate-6000 and 7000 models, the CLI allows you to add up to 512 flow rules. However, the number of flow rules that you can add is actually limited by the FortiGate-6000 and 7000 internal switch hardware:
|
780296 |
IP addresses received by an ACI SCN connector are not always synchronized to all FPCs or FPMs, especially if a relatively large number of address are to be synchronized, for example 2000 addresses. |
782095 | FortiGate-6000 FGCP cluster interfaces may be assigned virtual MAC addresses that overlap with the virtual MAC addresses assigned to the interfaces of other FortiGates in FGCP clusters, even if they have different group IDs. If you have a FortiGate-6000 FGCP cluster on the same network as FGCP clusters with other FortiGates, you can work around this issue by setting the group IDs of other FortiGate clusters on the same network to a value of 81 or higher. |
782338 |
A single SSL VPN user session can tie up multiple IP addresses, resulting in no more IP addresses being available for new SSL VPN sessions. You may be able to help reduce the impact of this issue by disabling limiting user logins, by entering the following command: config vpn ssl web portal edit "name" set limit-user-logins disable end You can also use the following command to list all active SSL VPN tunnels: execute vpn sslvpn list The command output lists all active SSL VPN tunnels in order by index number. If there are missing index numbers, you can use the following command to delete tunnels with those missing index numbers, freeing up the IP addresses that were tied up by those tunnels: execute vpn sslvpn del-tunnel <missing index> |
782640 | When viewing FortiView pages from a VDOM the FortiGate-6000 or 7000 may not be able to retrieve data from FortiAnalyzer. The FortiView pages will display the error message "Failed to retrieve FortiView data". |
782978 | If you attempt to create an FGCP HA cluster and the FortiGate-6000s or 7000s making up the cluster have difference firmware versions, the CLI of one of the FortiGate-6000s or 7000s may display incorrect error messages after restarting. |
783689 |
Because of a software issue, FortiGate-6000F DC models with only one DC PSU connected to power may become unstable, causing some FPCs to restart. A single DC PSU should be able to supply sufficient power to operate the management board and all of the FPCs in every FortiGate-6000F DC model. |
786659 |
If you are managing a FortiGate-7121F FGCP HA cluster using FortiManger, in some cases the This problem does not to affect the secondary FortiGate-7121F in the cluster, so to resume normal operation you can cause an HA failover, causing the secondary FortiGate-7121F to become the primary FortiGate-7121F. Check with Fortinet Support for assistance with restoring operation of the primary FortiGate-7121F. |
792717 |
A dialup IPSec VPN tunnel can take a couple of minutes before allowing traffic through it, even though the tunnel appears to be up when viewed from the FortiGate GUI or CLI. This can happen if dead peer detection (DPD) is enabled on a large number of VPN clients accessing the tunnel. Receiving the DPD messages from many clients at the same time can trigger this issue. To work around the problem, you can disable dead peer detection on all FortiClients that access the tunnel. |